Therefore, this paper surveys the existing literature comprising 54 papers mainly published between 2016 and 2020 on the applica-tions of AI in user access authentication, network situat
Trang 1Artificial intelligence in cyber security: research advances,
challenges, and opportunities
Zhimin Zhang 1 · Huansheng Ning 1,2 · Feifei Shi 1 · Fadi Farha 1 · Yang Xu 1 ·
Jiabo Xu 3 · Fan Zhang 1 · Kim‑Kwang Raymond Choo 4
© The Author(s), under exclusive licence to Springer Nature B.V part of Springer Nature 2021
Abstract
In recent times, there have been attempts to leverage artificial intelligence (AI) techniques
in a broad range of cyber security applications Therefore, this paper surveys the existing literature (comprising 54 papers mainly published between 2016 and 2020) on the applica-tions of AI in user access authentication, network situation awareness, dangerous behavior monitoring, and abnormal traffic identification This paper also identifies a number of limi-tations and challenges, and based on the findings, a conceptual human-in-the-loop intelli-gence cyber security model is presented
Keywords Cyber Security · Artificial Intelligence · Security Methods · Loop
Human-in-the-1 Introduction
As our society becomes more connected and technologically advanced, the role of security solutions and mitigation strategies will be more important The challenge of securing our systems and society (that relies on these systems) is, however, compounded by the con-
Hence, designing more efficient and effective cyber security solutions is a topic of ongoing interest
3 School of Information Engineering, Xinjiang Institute of Engineering, Xinjiang, China
4 Department of Information Systems and Cyber Security, University of Texas at San Antonio,
San Antonio, TX 78249-0631, USA
1 Cloud adoption risk report 2019 (pdf) https:// mscdss ds unipi gr/ wp- conte nt/ uploa ds/ 2018/ 10/ Cloud- Adopt ion- Risk- Report- 2019 pdf (2019).
Trang 2Cyber security refers to the use of various measures, methods, and means to ensure that systems are protected from threats and vulnerabilities, and to provide users with correct services efficiently Therefore, the cyber security mentioned in this paper includes threats
threats will have a severe impact on the regular operation of the systems, so the goal of cyber security is to protect threats as much as possible, and to timely and effectively meet the requirements of detection before the accident, handling in the accident, and recovery after the accident
In recent years, there have been attempts to design artificial intelligence (AI)-based solutions for a broad range of cyber security applications, partly due to the growing under-
exam-ple, AI-based approaches to model nonlinear problems have been shown to perform well
threat classification Interests in AI-based solutions are also partly driven by advances in
computing capabilities For example, according to Stanford University’s AI Index 2019
Report,4 the time required to train large-scale image classification system on cloud structure decreases from approximately three hours in October 2017 to about 88 seconds
infra-in July 2019 Computinfra-ing power for AI-based approaches is also reportedly doublinfra-ing every three months or so, surpassing Moore’s law Such capabilities can be utilized to improve
is also known that machine intelligence cannot totally replace human intelligence, and the next generation of AI will most probably combine both human and machine intelligence
Therefore, this paper surveys and summarizes key AI-based approaches for cyber rity applications in user access authentication, network situation awareness, dangerous behavior monitoring, and abnormal traffic identification Specifically, the following aca-demic platforms are mainly searched: Google Scholar, ACM Digital Library, IEEE Xplore, SpringerLink, and ScienceDirect, as well as archival sites: ResearchGate, using the key-words and Boolean operators such as:
secu-– (“artificial intelligence” OR “AI” OR “machine learning”) AND (“access tion” OR “mode authentication” OR “biometric authentication”),
authentica-2 What’s the difference between network security & cyber security? https:// www ecpi edu/ blog/ whats- diffe rence- betwe en- netwo rk- secur ity- cyber- secur ity (2020).
3 Ai in cybersecurity-capgemini worldwide https:// www capge mini com/ news/ ai- in- cyber secur ity/ (2020).
4 Ai index 2019 report (pdf) https:// hai stanf ord edu/ sites/g/ files/ sbiyb j10986/ f/ ai_ index_ 2019_ report pdf (2020).
5 Enterprise immune system-darktrace https:// www darkt race com/ en/ produ cts/ enter prise/ (2019).
6 Invincea launches x-as-a-service managed security https:// www eweek com/ secur ity/ invin cea- launc x- as-a- servi ce- manag ed- secur ity (2020).
hes-7 Congnigo-infosecurity magazine https:// www infos ecuri ty- magaz ine com/ direc tory/ cogni go/ (2019).
Trang 3– (“artificial intelligence” OR “AI” OR “machine learning”) AND (“situation awareness”
OR “security situation awareness”),
– (“artificial intelligence” OR “AI” OR “machine learning”) AND (“dangerous ing” OR “attacks”),
monitor-– (“artificial intelligence” OR “AI” OR “machine learning”) AND (“traffic identification”
– The subject of the article aligns with the topic of our survey
– The article was published in a peer-reviewed journal or a conference
– The article was published within the last five years
In addition, the paper located a number of related literature review and survey articles
(Note: the column of Number of articles discussed only counts the related methods and
frameworks)
The remaining part of this paper is organized as follows In the next two sections, the paper briefly reviews the key advantages and limitations of utilizing AI in the four cyber security applications (i.e., user access authentication, network situation awareness, dan-gerous behavior monitoring, and abnormal traffic identification) In the fourth section, the conceptual human-in-the-loop cyber security model is presented Finally, the last section concludes this paper
2 Potential applications of AI in cyber security applications
This section reviews related literature on AI-based solutions for user access authentication, network situation awareness, dangerous behavior monitoring, and abnormal traffic identifi-
2.1 User access authentication
2.1.1 User access authentication requirements
As the first defense line of cyber security, the system needs to strengthen the management
of user access authentication, accurately identifies all kinds of camouflage behaviors, and realizes the detection of illegal or malicious objects Before operation, the system should ensure that users are authenticated At the same time, the user data should be confiden-
shows that in the current authentication process, one of the research focuses on adding
Trang 5other features to enhance the uniqueness of password matching process, so as to minimize the probability of others passing off as legitimate users.
2.1.2 Cases of mode authentication
How to match passwords and add other user characteristics to ensure the security of dual authentication is a challenge that needs to be solved in mode authentication For example, current ATMs only use PIN codes for identity verification This single mode does not guar-
pass-word matching in the passpass-word authentication system, but also trained the user’s keyboard using some styles through neural network These styles included the user’s typing speed
a kernel function with both global and local functions, and they built a mobile nication network security authentication mechanism based on Support Vector Regression
Vector Machine (One-Class SVM) to realize keystroke dynamics pattern recognition, and
Convolutional Neural Network (CNN), reinforcement learning, and transfer learning to construct a physical authentication scheme It aimed at mobile edge computing, and was used to resist rogue edge attacks
2.1.3 Cases of biometric authentication
Compared with mode authentication, biometric authentication has been widely concerned
pointed out that to ensure the network security and stability of cooperation, it was essary to determine whether the other party is an AI or a human user Therefore, it was necessary to use “reverse Turing test” (a group of problems that can be solved by humans but not by computers) After determining whether it is a machine or a human, in order to prevent others from passing off, humans need to be verified At present, the identification
nec-Fig 1 User access authentication research focuses
Trang 6is mainly based on the inherent characteristics of the human body (such as fingerprint, iris, etc.) and behavioral characteristics (such as voice, gait, etc.), and the powerful self-learning ability of AI that can effectively use them.
fingerprint feature point matching algorithm based on Artificial Neural Network (ANN) and compared the distance between feature points; the training process was accelerated by
pro-posed a new fingerprint classification method based on modified Histograms of Oriented Gradients (HOG) descriptor, and this system used Extreme Learning Machine (ELM) with
framework based on CNN The features extracted from the clear and fuzzy pictures were
pro-posed an ANN based on local binary mode to realize contour face recognition Verma et al
method that uses dilated convolution to extract extra iris features, and several evaluation
Convolu-tion Neural Network (DCNN) for iris recogniConvolu-tion Another technology combining AI and feature extraction technology, namely genetic and evolutionary feature extraction technol-
a recognition
(RNNs) in the field of voice recognition Some researchers introduced ladder networks to
(DBN) to extract features and Proximal SVM to achieve recognition Gait, as an important part of behavioral characteristics, has also attracted many researchers For instance, Uddin
Basis Function Neural Network (RBFNN) to eliminate the influence of perspective on gait recognition and achieved good results in the experiment C4.5 decision tree (Thongsook
performed well in gait recognition
8 Speech emotion recognition using semi-supervised learning with ladder networks In: 2018 First Asian Conference on Affective Computing and Intelligent Interaction (ACII Asia), pp 1–5 (2018).
Trang 72.2 Network situation awareness
2.2.1 Network situation awareness requirements
In the process of network construction, the network designers may not find the ity and insecurity in the network topology In the process of network use, the non-uniform flow of data, which exposes the position of the network, perceives the weak link of the network in advance, provides the basis for network adjustment, needs to use network situ-ation awareness In the process of network situation awareness, complex networks need to
vulnerabil-be modeled, analyze the security situation of the network, and finally give the tive results of network situation awareness To achieve this process, it is required that the situation awareness model has a strong knowledge base, from which it can quickly detect and match the network situation At the same time, the model needs to have the ability to extract features, aim at never appearing in the network situation Besides, reasoning can be realized to give reliable perception results
quantita-2.2.2 Cases of network situational awareness combined with AI
Multi-entity Bayesian networks (MEBN) performs well in situational awareness, but there are some problems such as complex, so the idea of human-aided was used (Young Park
assess-ment model based on Random Forest Every tree in the forest used independent samples and participated in the classification together, making the final result more objective Li
situa-tion awareness mechanism This model used RBFNN for situasitua-tion predicsitua-tion Yang et al
can help assess the network situation
Net-work (WNN) based on particle swarm algorithm to achieve netNet-work situational awareness They also designed a new algorithm to reduce data attributes This research was committed
to meeting the requirements of situation awareness in big data environment Naderpour
a fuzzy risk estimation method to generate results In this design, the idea of
AI to optimize the design of information security situation awareness system, including optimizing system hardware configuration, standardizing the synchronous operation mech-anism of AI in multiple data security perception, improving the information security situa-tion inference algorithm, designing the system software structure, and adding comparative repair steps based on security characteristic parameters
2.3 Dangerous behavior monitoring
While new technologies such as big data and cloud computing continue to emerge, ers’ offensive methods are also constantly developing With the rapid growth of data
Trang 8hack-volume and increasing access to the Internet, hackers are committed to find “lethal points”
of the network and launch attacks on the network at any time The original intrusion tion systems have been unable to adapt to the characteristics of the network However, the high-speed flow of data is also conducive to find traces left by hacking activities, and has become important evidence for taking security precautions in advance In order to achieve cyber security with accurate methods, it is necessary to monitor dangerous behaviors and their types in time Otherwise, there will be a situation of “emergency medical treatment”, which effectively protects the network but it wastes a lot of resources To this end, research-ers have begun to improve and innovate on the basis of the original intrusion detection systems to make the current network requirements of the intrusion detection systems as scalable as possible
behav-ior detection method It combined the deep feature extraction and multi-layer integrated Support Vector Machine (SVM) and used the distributed DBN to reduce the dimension
of large-scale network traffic dataset to find abnormal behaviors Kanimozhi and Jacob
The system used ANN technology to detect botnet attacks and abled to deploy on
machine learning in a cloud computing environment The system fused the K-Means
proposed a hypervisor-based anomaly detection system, in which the main technology was
a neural network based on fuzzy C-means algorithm In the cloud computing environment, the system showed good performance under low frequency attack
Some systems focused on monitoring a single dangerous behavior, such as Distributed
for DDoS, and achieved good results in the experiment It used K-Means for behavior
detection method for DDoS The whole system consisted of CNNs, RNNs, and
data collector, Hadoop-HPFS, format converter, data processing device, and neural work detection module This system could analyze high-speed, high-traffic network sys-tems, and neural networks could also effectively identify data packet characteristics The advantages of AI can play a significant role in mitigating a variety of specific attacks on the
With the advent of the 5G era, some scholars have started to study the anomaly tion of 5G technologies For example, an adaptive deep learning based 5G network anom-
two layers of deep learning models were used; one was focused on the method of using network flow aggregation detection to quickly search for abnormal signs, it mainly uses Deep Neural Network (DNN) for processing; the other one was based on the relationship between the timeline and related symptoms to identify network anomalies, and directly communicated with the monitoring and diagnosis module after finding the anomalies The Long Short-Term Memory (LSTM) was implemented to handle time series well
2.4 Abnormal traffic identification
Any network has a certain carrying capacity Within normal threshold, network can play a significant role in and provide users with high-quality services Hackers will deliberately
Trang 9inject a large amount of illegal data into the network structure, which makes the network nodes and links unable to bear and cause accidents, unable to provide services for users, and even lead to serious problems such as information loss How to provide an important basis for network situational awareness through analysis of network traffic, timely detection
of high-risk behaviors on the cyberspace, and effective measures are of great significance for enhancing network response and maintaining overall cyber security
meth-ods could be divided into four categories, which were detection methmeth-ods based on
pro-posed an intrusion detection system framework in cloud computing This framework could
be integrated on different cloud levels and could capture traffic then sent it to ANN Zhang
deep learning to implement traffic anomaly detection in multi-class imbalanced networks
It was mainly composed of two parallel CNNs and used multiple feature fusion methods
and proposed an end-to-end network traffic recognition framework based on deep ing The framework had a two-layer structure; it used CNN to extract features and LSTM
learn-to record time characteristics Kong’s team is dedicated learn-to the combination of abnormal traffic identification and AI They compared the performance of K-means (unsupervised)
they proposed to use parallel computing to accelerate the training of the model (Kong et al
2.5 Summary
The aforementioned four subsections respectively introduced the AI in cyber security from different aspects This subsection mainly summarizes the relevant technologies used in var-
By summarizing these articles, it is found that most of the proposed methods are
them, 24% of the methods used CNN, 15% of the methods used SVM, and 12% of the
detailed usage proportion) These basic methods provide the basis and reflect the feasibility and superiority for the applications of cyber security
But at the same time, the field of cyber security has its own characteristics, so these articles combine the characteristics of the research direction to improve the basic methods, mainly including: methods fusion (using two or more basic methods in the model), features selection (selecting new features or expressions to improve the identification ability), and models optimization (used to speed up the parameter update speed or better finding the
In order to more clearly describe the use of basic methods in the four research aspects,
researches focused on features selection Network situation awareness and dangerous behavior monitoring focused on the research of models optimization and methods fusion Models optimization was regarded as the focus of abnormal traffic identification For dif-ferent research aspects, researchers can choose to determine the means of using the meth-ods, and finally get the purpose of achieving new breakthroughs in technology
Trang 11Figure 3 shows a model that summarizes most of the research ideas in the field of cyber security This model deals with security issues through four steps, including data selection and acquisition, data feature extraction, model construction, and specific applications To this end, the entire model is divided into four levels as follows:
– Data layer: data selection is the most basic work, and the quality of data selection directly affects the performance of the model For the four research aspects, the data used in the experiments include general datasets and self-collecting datasets In mode authentication and network situation awareness, all the articles mentioned in
self-collecting data can enrich the diversity of data, but it causes some difficulties for the accuracy of single model estimation and the comparison of different models
On the contrary, a small number of articles in the remaining research perspectives
– Feature layer: effective feature extraction is an important factor in determining rity issues accurately The unified processing of data is a necessary step to do before starting data extraction, especially when using self collecting datasets [e.g (Wang
and representation, but others performed separate feature extraction to enhance the
– Intelligent layer: This layer is implemented in two steps, namely modeling and uation The construction of the model is an essential step to embody AI and the core content of the general model (for the basic methods and usages involved in the
judged by the evaluation methods The main used methods were accuracy rate, lowed by the equal error rate (EER) Besides, some studies used specific evaluation
– Application layer: After construction, these models either provided solutions for problems, or deployed them in combination with specific scene The theme of the applications was consistent because of using AI to ensure cyber security
In addition, this paper also summarizes some of innovative methods mentioned in
clas-sification models, and maximum accuracy of methods At the same time, timeliness and complexity are also used to compare the various methods These two indicators can reflect the effectiveness of the methods, which also meet the processing requirements of cyber security issues
In the field of cyber security, AI can play an important role, but at the same time, it needs to be adjusted to make this technology more suitable for the use requirements of this field How to achieve fast detection, improve detection accuracy, and mine data characteris-tics are the focus of the current research in this field
Trang 123 Limitations of AI‑based approaches
Can AI detect all uncertain events? The answer is no As a “double-edged sword”, this new technology has its own shortcomings as well as a good performance This section discusses the factors that make the AI model dishonest in the field of cyber security
3.1 Interference of confusing data
How much interference can cheat AI? Maybe one pixel is enough Su et al’s experiment
used the Generative Adversarial Network (GAN) to obtain malware samples, which could bypass the detection system As can be seen from the these examples, once the data is
“infected”, there is a chance to cheat the AI system, resulting in the unsafe state of the network
3.2 Maliciously modified model
The implementation of AI model is a program, which may have some vulnerabilities These vulnerabilities may be due to the designer’s unreasonable and careless design of the logical structure of the model They may come from specific high-level language, hardware
the backdoor in the neural network, which made the performance of the neural network in the specific attacker sample very poor These shortcomings also reflect from the side that the given answers by the program are not necessarily accurate
Fig 2 Proportion of basic methods and their used